Re: SFTP

From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: 08/05/03

  • Next message: Spiewak, Jakub: "SSHD error"
    Date: Tue, 5 Aug 2003 10:46:37 -0700
    To: secureshell@securityfocus.com
    
    

    On 2003.08.04 19:36, Derek Martin wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Mon, Aug 04, 2003 at 12:53:40PM +0500, Ed J. Aivazian wrote:
    > > For the users who should use sftp only, set an `empty' shell (eg.
    > > #!/bib/sh \n echo "Good bye...")
    > > don't forget to put the script in /etc/shells
    >
    > This will NOT work.
    >
    > $ sudo sh -c "echo -e '#!/bin/sh\necho goodby\nexit 0'
    > >/usr/local/bin/badshell"
    > $ sudo chmod +x /usr/local/bin/badshell
    > $ sudo echo /usr/local/bin/badshell >> /etc/shells
    > $ sudo chsh rudy
    > Changing shell for rudy.
    > New shell [/usr/local/bin/rssh]: /usr/local/bin/badshell
    > Shell changed.
    > $ sftp rudy@localhost
    > Connecting to localhost...
    > rudy@localhost's password:
    > Received message too long 1198485348
    > $
    >
    > The problem here is that when you sftp to a host, sshd starts a copy
    > of the user's shell, with the command-line options appropriate for
    > running sftp-server, the server-side portion of sftp. Essentially:
    >
    > /path/to/shell -c /path/to/sftp-server
    >
    > Your version of a shell will not allow this to work.
    >
    > - --
    > Derek D. Martin
    > http://www.pizzashack.org/
    > GPG Key ID: 0xDFBEAD02
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.1 (GNU/Linux)
    >
    > iD8DBQE/LxgXdjdlQoHP510RAhNNAKChBNjoULDcFgLvmt62v8zAvnGeRgCfWBLD
    > oHVhib9tntuXFtV9bDJMqaY=
    > =okKo
    > -----END PGP SIGNATURE-----
    >

    hi,

    what about just using a simple "/bin/false" for the login shell for
    user ids that I dont want to log in but which I setup for sFTP ? that's
    what I've setup on my workstation at work (which is anyways protected
    by a corporate firewall - so I wouldn't ever see any cracking
    attempts). Would appreciate if anyone can show me that using "/bin/
    false" is NOT a secure way to shut off logins.

    thanks,

    -- 
    Ranjeet Shetye
    Senior Software Engineer
    Zultys Technologies
    Ranjeet dot Shetye2 at Zultys dot com
    http://www.zultys.com/
    --
    The views, opinions, and judgements expressed in this message are 
    solely those of the author. The message contents have not been reviewed 
    or approved by Zultys.
    

  • Next message: Spiewak, Jakub: "SSHD error"

    Relevant Pages

    • Re: SFTP
      ... Changing shell for rudy. ... Received message too long 1198485348 ... The problem here is that when you sftp to a host, ...
      (SSH)
    • SUMMARY: Non-interactive sftp
      ... whilst not allowing an interactive shell for this use. ... I had neglected to consider that sftp is simply an ssh subsystem - ... All of my research has led me to believe this is a permissions ... permissions on the mount-point where the destination filesystem ...
      (SunManagers)
    • Re: SSH
      ... SFTP and SCP all go to port 22 by default? ... Don't you just love that unix command line uniformity? ... No, but if you must play with Unix, you must either live with the shell ...
      (comp.os.vms)
    • Re: Chrooted sftp setup accessible with psftp, but not sftp
      ... how is this shell created? ... subsystem request for sftp ... Please either post your entire config (or reduce your config to a subset ... Now that I know psftp is doing special stuff to get a 'sftp' session ...
      (SSH)
    • [HPADM] SUMMARY Restricted SFTP without user being able to SSH into server
      ... they suggestions did not fit the desired security level. ... Setup a chroot environment for sftp. ... this script as the shell for the account. ... When I do an sftp to that server, I get a message "illegal user XYZ from ...
      (HP-UX-Admin)